Home » How Hackers Could Manipulate The ‘Smart’ Wrenches Used To Build New Cars

How Hackers Could Manipulate The ‘Smart’ Wrenches Used To Build New Cars

Rbschunner
ADVERTISEMENT

Modern auto factories rely on strict process controls to ensure that cars are built right. Any mistakes on the production line could require expensive rework to rectify, or lead to quality issues for customers which can lead to recalls and a damaged reputation. Smart tools are key to maintaining quality, allowing companies to ensure they’re not shipping cars with loose fasteners. However, these smart tools can be vulnerable to hackers, new research has revealed.

The news comes from Nozomi Networks, a cybersecurity company that investigates a wide variety of industrial equipment for vulnerabilities. As described in a report titled “Vulnerabilities on Bosch Rexroth Nutrunners May Be Abused to Stop Production Lines, Tamper with Safety-Critical Tightenings,” Nazomi Networks researchers were able to uncover a number of vulnerabilities in the Bosch Rexroth NXA015S-36V-B. If you’re not familiar with this tool, Nozomi Networks describes it as “a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines.” So, basically it’s a tool for tightening fasteners to specific torques to make sure parts are held together properly (it’s worth noting that the photos in the report show a battery-powered wrench, though the wrench in question is indeed a “pneumatic torque wrench,” per Bosch itself. More on Bosch’s response in a moment).

Vidframe Min Top
Vidframe Min Bottom

The “smart” aspect of the tool comes from the fact that it is network connected via WiFi, enabling it to log the torque and total tightening angle it applies to each fastener to a server for quality assurance purposes. It’s that network connectivity that poses a risk to the tool, and the factories that depend on it, according to Nozomi Networks.

The dangers of a hacked nutrunner could be numerous, with Nozomi Networks mentioning that a production line could theoretically be shut down and that fasteners could be over- or under-tightened while correct torques are reported quality logs. From Nozomi Networks:

We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device, which could be used to cause production line stoppages and potentially large-scale financial losses to asset owners. Another exploitation would allow the threat actor to hijack tightening programs while manipulating the onboard display, causing undetectable damage to the product being assembled or making it unsafe to use. Given that the NXA015S-36V-B is certified for safety-critical tasks, an attacker could compromise the safety of the assembled product by inducing suboptimal tightening, or cause damage to it due to excessive tightening.

In other words, a hacked tool could lead to products built with parts that fall off, or bolts that shear in service from being over-torqued, and that’s obviously not good.

ADVERTISEMENT
Bosche Rexroth Nxa015s 36v B White Bg
The Bosch Rexroth NXA015S-36V-B. The cordless nutrunner communicates over WiFi to log fastener torque for quality purposes.

Bosche Rexroth Nxa015s 36v B Callouts

Using Nutrunner
Such tools are used in all kinds of factories where fastener torques are critical. By measuring torque and the total angle the fastener is turned, the device can ensure the fastener is torqued to spec and that any necessary washers are present.

Nozomi Networks has already notified Bosch Rexroth of the issue, and Bosch Rexroth has “committed to releasing patches by the end of January 2024.” As the patch is not yet available, the company has not revealed specific technical details of how the nutrunners are vulnerable. However, its report includes a list of 25 vulnerabilities in the NEXO-OS operating system used on the tools, and even outlines “mitigations that asset owners can implement to safeguard against cyberattacks.”

The researchers were able to demonstrate the weakness of the tools by installing a proof-of-concept ransomware, which displays a notice on the screen of the tools. In theory, this could be used to hold a production-line to ransom until a sum was paid to hackers, with Nozomi Networks noting a rather grim potential scenario:

A group of malicious hackers might render an assembly line unusable if you don’t pay a fortune in crypto currency to the threat group. A resulting ransom demand may be millions of dollars, before considering the remediation and response costs.

Given that even a short shutdown to a production line can quickly run into the tens or hundreds of thousands of dollars, it’s easy to imagine a business contemplating paying such a sum—no matter how much conventional wisdom might recommend against it.

Nozomi Networks discusses what it found in testing, writing:

ADVERTISEMENT

Within our lab environment, we successfully reconstructed the following two scenarios:

  • Ransomware: we were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. Furthermore, we could alter the graphical user interface (GUI) to display an arbitrary message on the screen, requesting the payment of a ransom. Given the ease with which this attack can be automated across numerous devices, an attacker could swiftly render all tools on a production line inaccessible, potentially causing significant disruptions to the final asset owner.
6597316c26e01cbbf185e0af Ransomware
Researchers ran a proof-of-concept ransomware attack on the tools. Credit: Nozomi Networks
  • Manipulation of Control and View: we managed to stealthily alter the configuration of tightening programs, such as by increasing or decreasing the target torque value. At the same time, by patching in-memory the GUI on the onboard display, we could show a normal value to the operator, who would remain completely unaware of the change.
659731a30296c1a3a8c30c13 Hmi Gui Manipulation
In what is termed a “manipulation of view” attack, the tool was commanded to tighten a fastener to 0.15 Nm, while displaying just 0.05 Nm. Credit: Nozomi Networks

Speaking to The Autopian, Bosch Rexroth confirmed that the company is aware of the matter and is developing a solution. The company has also posted a threat advisory to customers on its Product Security website. Per a Bosch spokesperson, who began by making it clear that “security is a top priority” at the company:

Nozomi Networks informed us some weeks ago that they have found that there is a vulnerability associated with the Bosch Rexroth NXA015S-36V-B, a smart nutrunner/pneumatic torque wrench. Bosch Rexroth immediately took up this advice and is working on a patch to solve the problem. This patch will be released at the end of January 2024.

Since January 8, 2024, customers can find a “Security Advisory” on the Bosch Rexroth homepage in the area “Product Security” https://www.boschrexroth.com/en/dc/product-security/security-advisories/ or on https://psirt.bosch.com/security-advisories/bosch-sa-711465.html

The relevant Bosch Rexroth product Bosch Rexroth NXA015S-36V-B has been used by Bosch Rexroth customers for many years, so far there have been no cases of data loss. As our customers have the expertise to evaluate the very limited risk of this situation, we have have had only limited customer questions. It is strongly recommended to operate the Nexo cordless nutrunner in protected network segments.

Most of the vulnerabilities are a little arcane, but some are simple and seemingly embarrassing. One vulnerability (CVE-2023-48250) involves the use of hard-coded credentials baked into the tools. As I understand it, it’s kind of like if your Wi-Fi router at home had a secret account that you couldn’t change the password for, and so any attacker that knew about it could get into your network. Armed with this entry point, an attacker could combine that with another vulnerability, known as CVE-2023-48243. This allows the hacker to upload arbitrary files to different parts of the tool’s storage via a simple method. Using this, the hacker could run their own code on the device, such as to modify torque settings or lock out the tool and display a ransomware message.

659efc8a945cf6d9c70674c4 Bosch Rexroth Nutrunner Vulns Diagram Ransomware (1) 659efc428fa504349cada03c Bosch Rexroth Nutrunner Vulns Diagram Manipulation (1)

Given the level of vulnerability, Nozomi Networks advises users to restrict any means by which a hacker might reach the network the tools are operating on in order to prevent attacks. According to Bosch’s rating on the Common Vulnerability Scoring System V3.1, the vulnerabilities were rated as Medium and High, the latter being one level below the highest rating of Critical.

At the time of writing, a Bosch spokesperson indicated they were unable to state the number of automakers that currently use the specific tool in question. The Autopian will update this article if such numbers become available.

ADVERTISEMENT

It may be that no major automaker uses the specific Bosch Rexroth tool that was subject to this vulnerability. However, a vast number of automakers and other manufacturers use tools similar to these, both from Bosch and other tool companies. We often think of our desktop and laptop computers as the main devices at risk to hackers, and, I guess, increasingly our cars’ infotainment systems. In reality, anything on a network is a target. This incident highlights that even individual hand tools must be carefully designed from a cybersecurity perspective, especially when it comes to safety-critical applications. In the automotive world, much like aerospace and maritime applications, a loose fastener can put lives on the line.

Having a connected tool is great to ensure that vehicles are well built, but the industry must work to prevent that connection creating risk. Preventative measures do exist, as Bosch notes, such as only using such tools on protected and separated network segments. The tools can be secured further in future, to be sure, but they should also be protected from the outside world as much as possible. This research will remind many working in infrastructure cybersecurity — and also executives — just how much could be at risk.

Image credits: Nozomi Networks, Bosch

Share on facebook
Facebook
Share on whatsapp
WhatsApp
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Subscribe
Notify of
45 Comments
Inline Feedbacks
View all comments
Chartreuse Bison
Chartreuse Bison
3 months ago

I know it says Nutrunners, but i can’t read an article about hackers and not hear “net-runners”

Last edited 3 months ago by Chartreuse Bison
James Mason
James Mason
3 months ago

I wonder if white-hat hackers could get into the nutrunners at Boeing and actually prevent door plugs from blowing out.

AlterId
AlterId
3 months ago

Let me preempt whoever might come in to say “‘Rexroth Nutrunners’ would be a great name for a band.” Perhaps it would. But it would be a far better name for an itinerant band of male strippers performing at various gay male and/or hen party venues across the West Midlands.

Myk El
Myk El
3 months ago
Reply to  AlterId

Rexroth’s Midnight Nutrunners. I don’t want to hear that version of “Come on Eileen.”

AlterId
AlterId
3 months ago
Reply to  Myk El

Or see the video.

Cheap Bastard
Cheap Bastard
3 months ago

So why don’t these things simply have a hard reset button? I’d think it would take less time to simply wipe the contaminated program and reload it from firmware than to pay the ransom.

Ben
Ben
3 months ago
Reply to  Cheap Bastard

Yeah, when they talked about “a fortune in Bitcoin” my first thought was “or just get new tools”. This isn’t like ransomware that encrypts irreplaceable data.

Cheap Bastard
Cheap Bastard
3 months ago
Reply to  Ben

I get that to replace the bricked tools would take time, time that the production schedule can’t afford. If that’s the case, yeah, have spare tools available and use those while the contaminated ones are being cleaned out by IT.

Slow Joe Crow
Slow Joe Crow
3 months ago

Stuff like this is,why you keep your SCADA networks isolated and heavily firewalled if not air gapped. Because the internet of things and depressing amount of industrial controllers have piss poor security. Even then you have to guard against idiots wolith USB sticks (the Stuxnet vector) and idiots with home routers or cell phone hotspots bridging networks.
I work in IT and some clients have SCADA systems and some clients need to be ITAR compliant so we have VLANs, firewalls and management buy in that people who violate IT security get fired.
Back on topic, Tesla needs these to address their horrible record of suspension failures

The F--kshambolic Cretinoid Harvey Park
The F--kshambolic Cretinoid Harvey Park
3 months ago
Reply to  Slow Joe Crow

It’s weird and sad how so many enterprise networks don’t have basic network segmentation down.

Goblin
Goblin
3 months ago

I can’t for the life of me find this article (it wasn’t in English and I forgot in what forgotten part of the web I read it eons ago), but one of the first industrial lvel “computer” hacks happened in the USSR, at the end of the 70’s, at the Moskvich factory.

A young computer engineer (for whatever computers they had) kept being passed on for his vacation request (vacations in most of the Eastern block were heavily dependent on one’s employer not only timeframe wise, but also for most everything else – simple mortals could only get decent vacation time if they used the employer’s vacation villages at specific places, so if a company owned a vacation tent village close to the beach you’d be SOL if you got your vacation during the winter). So the guy became increasingly resentful.

Eventually, he got his vacation time after everybody else. Before leaving, he changed some setting in in the main program and left.

The change threw the conveyor belts out of whack, making the different elements arrive at specific stations ever so slightly out of sync – too early, or too late. This was not noticed at first, but eventually ballooned as the little differences amplified each other, to a complete lockup of the production line.

Techs kept turning the belts off and on again, to no avail. They’s start (almost) fine then get out of whack again.

To add to the joy, it turned out that the “I’m the only one knowing what they’re doing here” claims of said engineer turned out to be true, as no one was able to figure out the issue till the guy came back.

Last edited 3 months ago by Goblin
Hoonicus
Hoonicus
3 months ago
Reply to  Goblin

I can’t imagine that ended well for him.

Goblin
Goblin
3 months ago
Reply to  Hoonicus

The beauty of the story was that they never figured out what exactly had happened, till he spilled the beans decades later, after the regime change. Or so the story goes.

Cheap Bastard
Cheap Bastard
3 months ago
Reply to  Goblin

So how was his bonus vacation in the Siberian Gulag?

The F--kshambolic Cretinoid Harvey Park
The F--kshambolic Cretinoid Harvey Park
3 months ago
Reply to  Goblin

That story doesn’t make sense. If stuff Joe owns breaks after Joe goes on vacation, you call him back and make him fix his stuff.

Goblin
Goblin
3 months ago

It’s because of how I tell it, not because of how it was told to me 🙂

I read it a long time ago, and as I mentioned – I can’t find it again. What is sure is that Joe had his behind covered one way or the other – not sure if anyone suspected it was a computer issue to begin with – and kept it covered for a long time.

As for breaking and owning – there is no dedicated “Stories about Soviet build quality” thread here (yet), so I’ll keep my stories hush for the time being. Let’s say that ownership of issues in civilian production was not exactly a thing back there and then.

I’m giving the benefit of the doubt to the military production, although I remember of at least one case where a million buck+ com station that came on a Kamaz chassis, was delivered brand new in my country with an engine seized in transit (with 20 miles on the odometer) because oil was low or not there at all straight out of the factory, in the very early 90’s.

Brian Ash
Brian Ash
3 months ago

Connected tools and IoT things not being secure, topic is a decade old and companies are still churning out hot new products with security being their last concern. No one ever learns.

Kalieaire
Kalieaire
3 months ago

I mentioned this on jalopnik, but my comment was on pending hell.

but yes, consider this being used on actually missing critical assembly lines like for Boeing/Spirit (cough door plug bolts) or SpaceX.

The implications are major.

The Dude
The Dude
3 months ago
Reply to  Kalieaire

Boeing already has enough problems of their own due to the MBAs that infiltrated the company.

Goblin
Goblin
3 months ago
Reply to  Kalieaire

Jalopnik’s “Pending Hell“… The very thing that made me discover The Autopian in the first place…

Captain Muppet
Captain Muppet
3 months ago
Reply to  Goblin

I only ever wanted to comment on Jalopnik when the article was wrong or belmingly stupid.

I actually comment here because it’s so good I want to join in.

Spartanjohn113
Spartanjohn113
3 months ago
Reply to  Captain Muppet

Plus one for wholesome non-kinja.

Tbird
Tbird
3 months ago
Reply to  Spartanjohn113

The overall positivity and depth of analysis on this site, both articles and comments is refreshing.

BigThingsComin
BigThingsComin
2 months ago
Reply to  Captain Muppet

So . . . you wanted to comment on most of their articles?

Captain Muppet
Captain Muppet
2 months ago
Reply to  BigThingsComin

Pretty much. It’s sad.

Bizness Comma Nunya
Bizness Comma Nunya
3 months ago

Car companies don’t need hackers to have incorrect torque to VIN associations on wireless tools.

Bob Boxbody
Bob Boxbody
3 months ago

It’s ridiculous how companies jump to put everything online, without considering security at all. I seem to remember a company being hacked through their fish tank thermometer, because it was on their wifi, but had no security of its own. I always think of that when something I’ve purchased wants to be on my network.

VanGuy
VanGuy
3 months ago
Reply to  Bob Boxbody

I always think of that one too! It was some casino. A “smart” aquarium connected to their secure network. And you figure they have a lot of moolah at stake for any kind of networks there…

I recently connected my printer to my network via an ethernet connection to the router. I figure phones and laptops are about the only things I can generally trust with wireless connections since they do get regular updates.

Somehow I don’t trust smart bulbs and gadgets to get regular firmware/security updates.

David Lorengo
David Lorengo
3 months ago
Reply to  VanGuy
Hoonicus
Hoonicus
3 months ago

“In reality, anything on a network is a target.”
Ah-Yep, but let’s race ahead and make everything in our lives connected.
This is a job for Rtwyrm !
Too tight=broke.

Last edited 3 months ago by Hoonicus
Ranwhenparked
Ranwhenparked
3 months ago
Reply to  Hoonicus

I get the benefit to this in less reliance on human quality control inspectors, but I remain unconvinced that my washer, refrigerator, dishwasher, and juicer need to be connected the Internet or that doing so would benefit me in any meaningful way

Last edited 3 months ago by Ranwhenparked
Hoonicus
Hoonicus
3 months ago
Reply to  Ranwhenparked

Seems they could have a hard wire secured port that downloads when the tool is in the cradle. As for your fridge,washer, and such, how are the manufacturers going to monetize your sweet data otherwise?

Hugh Crawford
Hugh Crawford
3 months ago

Well I guess those aren’t secure sockets.

The F--kshambolic Cretinoid Harvey Park
The F--kshambolic Cretinoid Harvey Park
3 months ago
Reply to  Hugh Crawford

Nerdy comment of the day.

Drive By Commenter
Drive By Commenter
3 months ago
Reply to  Hugh Crawford

The inevitable Bluetooth 10mm?

Spikedlemon
Spikedlemon
3 months ago

As a correction: the units displayed are DC nutrunners (being battery powered), not a pneumatic nutrunner (operating based on air) as is noted in the article.

Whilst wireless ones are fairly common in the industry, most units are of a corded-type and would not be reliant upon wireless signals (as they are lighter, cheaper, do not need to be charged, and are generally more robust than cordless variants).

Dickran Vonhungtaint
Dickran Vonhungtaint
3 months ago

The manipulation attack is essentially what Stuxnet did to Iranian uranium enrichment ~2009 by stealthily manipulating PLC controllers of centrifuges. The targeted equipment indicated normal operation but would alter the speeds and gas pressures to slowly destroy the equipment and hinder the enrichment process.

Mr. Asa
Mr. Asa
3 months ago

I wonder what would, ultimately, happen to the hackers that exploited this or something similar on one of the major manufacturers. Would they get their day in court? Would they quietly disappear?

Corporations don’t play for some things.

Mr. Asa
Mr. Asa
3 months ago
Reply to  Lewin Day

I’ve been following some of the modern ransomware stuff going on, and who is doing it (there was a school in India that gained some prominence for a while before breaking up and splintering.) A lot of the times its places where the laws in the victim’s country can’t reach, or the hacker’s country is very reticent about prosecuting or even providing data on the attack. As a result there’s very little legal recourse

Combined with the fact that I have very little trust in anything any corporation does these days…

TheHairyNug
TheHairyNug
3 months ago

I’d wager a bet that this is what happened to Boeing’s wrenches when assembling the MAX 9, but I know that the real answer is corporate greed

Jdoubledub
Jdoubledub
3 months ago
Reply to  TheHairyNug

I got out of aerospace 6 years ago, but back then Boeing had a big push to eliminate their in house inspectors and have all suppliers do the inspections themselves and submit results via a web portal. Obviously it’s working out great.

Drive By Commenter
Drive By Commenter
3 months ago
Reply to  Jdoubledub

If it’s Boeing I’m NOT going!

45
0
Would love your thoughts, please comment.x
()
x